Legal Information

Ascendant Accountants Limited Privacy Notice

Prepared to align with the current Ascendant engagement terms, Gateley’s reviewed GDPR wording, and the latest ICAEW engagement letter guidance. This version is designed for publication at ascendantaccountants.com/legal-information/privacy-policy/ and should be kept aligned with the Terms of Business and Service Descriptions.

Key points

  • We use personal information to provide professional services, run our business, meet legal and regulatory obligations, protect our systems, and communicate with you.
  • We normally act as an independent controller when providing our services. If a specific service or agreement says otherwise for a particular activity, that service-specific wording will apply.
  • We may use UK and overseas team members, cloud systems, software providers and AI-assisted tools, subject to appropriate confidentiality, security and legal safeguards.
  • If you provide us with personal information about other people, you should make sure you are entitled to do so and have given them the necessary privacy information.

1. Who we are

Ascendant Accountants Limited (“Ascendant”, “we”, “us” or “our”) is the controller for the personal information described in this notice, unless a more specific notice or service-specific agreement says otherwise.

We operate as a UK professional services group and may trade under different brand or trading names from time to time. This notice applies whenever you interact with us or with a website, portal, product or service operated by or on behalf of Ascendant Accountants Limited, unless you are given a more specific privacy notice for a particular activity.

We are regulated by the Institute of Chartered Accountants in England and Wales (ICAEW) and follow professional, ethical and legal obligations relevant to the services we provide.

2. How to contact us

If you have questions about this notice, want to exercise your data protection rights, or want more information about how we handle personal information, please contact us:

  • Email: info@ascendantaccountants.com (for the attention of the Data Protection Officer)
  • Post: please request our current registered office address by email or refer to the legal information page on the relevant Ascendant website or the Companies House register.

3. Who this notice covers

This notice may apply to individuals whose personal information we handle, including:

  • website, portal and app users;
  • prospective clients and people who contact us;
  • clients who are individuals, and people associated with our clients such as directors, shareholders, trustees, partners, members, employees and authorised users;
  • supplier, referrer and partner contacts;
  • event, webinar and meeting attendees; and
  • people who receive our marketing or communications.

Employee and worker personal information is covered by separate internal notices and policies. Recruitment activities may be covered by a separate recruitment privacy notice where one is provided.

4. The personal information we collect

The personal information we collect depends on how you interact with us and the services we provide. It may include:

  • identity and contact details, such as name, title, employer, address, email address and telephone number;
  • client onboarding and compliance information, such as copies or references to identity documents, proof of address, date of birth, beneficial ownership information, sanctions and screening results, and records of checks performed;
  • professional services information, such as books and records, payroll information, tax and financial information, correspondence, and information provided to us to deliver services;
  • account and access information, such as usernames, authentication information and audit logs for portals and tools;
  • communications, such as emails, meeting notes, call recordings where permitted, and support requests;
  • website and device information, such as IP address, browser type, device identifiers, cookie identifiers and usage data;
  • event and marketing preference information; and
  • risk, security and fraud-prevention information, such as incident logs and compliance records.

We do not knowingly collect personal information from children through our services. If you believe a child has provided personal information to us, please contact us so we can take appropriate steps.

5. Special category and criminal convictions information

Some personal information is treated as more sensitive under data protection law. This includes “special category” information (for example health information) and information relating to criminal convictions and offences.

We do not generally need special category information to provide standard accountancy services, but it may arise in limited situations, for example where relevant to employment, benefits, litigation, due diligence or specific advisory work. We may also process information relating to criminal convictions and offences where required or permitted, including for anti-money laundering checks, fraud prevention and compliance.

Where we process this kind of information, we do so only where the law allows, apply appropriate safeguards, and limit access on a need-to-know basis.

6. Where we get personal information from

We may collect personal information from a range of sources, including:

  • directly from you, for example when you contact us, sign engagement documents, use our portals or give us information to provide services;
  • from your employer or the organisation you represent;
  • from clients, advisers or other parties involved in an engagement, such as legal advisers, lenders, brokers, insurers or counterparties;
  • from public sources, such as Companies House and other public registers;
  • from identity verification, screening and due diligence providers used to meet legal and regulatory obligations; and
  • from technology and security systems, such as access logs, portal usage information and monitoring tools.

7. How we use personal information and our lawful bases

UK data protection law requires us to have a lawful basis for using personal information. More than one lawful basis can apply depending on the context. We mainly use personal information for the following reasons:

Respond to enquiries and manage relationships

Examples: contact details, correspondence and meeting notes.
Lawful basis: Legitimate interests; and/or taking steps before entering a contract.

Provide professional services

Examples: client records, financial and tax information, payroll information, communications and portal data.
Lawful basis: Performance of a contract; legitimate interests; and/or legal obligation, depending on the service.

Client onboarding, due diligence and compliance

Examples: identity documents, proof of address, screening results, beneficial ownership information and risk assessments.
Lawful basis: Legal obligation; and/or legitimate interests.

Meet legal and regulatory obligations

Examples: professional records, filings, reporting, audit trails and compliance evidence.
Lawful basis: Legal obligation; and/or legitimate interests.

Operate, secure and improve our websites, portals and systems

Examples: login data, audit logs, device and usage data, security logs and cookie identifiers.
Lawful basis: Legitimate interests; and in some cases consent under PECR.

Marketing and business development

Examples: contact details, marketing preferences and interaction history.
Lawful basis: Legitimate interests and/or consent, especially for electronic marketing where required by PECR.

Events and communications

Examples: registration details, accessibility information you choose to share and communications.
Lawful basis: Contract where applicable; legitimate interests; and/or consent.

Protect our rights, manage disputes and enforce agreements

Examples: correspondence, engagement documents, file notes and claim-related information.
Lawful basis: Legitimate interests; legal obligation; and/or legal claims.

If we rely on consent, for example for certain cookies or some direct marketing, you can withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing before you withdrew it.

8. Controller position and your responsibilities when sharing personal information with us

In line with the current legal advice we have received and the nature of most professional services we provide, we normally act as an independent controller when processing personal information for our engagements. That means we decide how to deliver our services, keep professional records, meet legal and regulatory obligations, and protect our business and systems.

If a specific service agreement or service description states that we act in a different role for a particular activity, that service-specific wording will apply to that activity.

If you provide us with personal information about other people, you should only do so where:

  • you have provided the necessary information to those individuals about how their personal information will be used (and you may use or refer to this notice for that purpose);
  • you have a lawful basis for sharing that information with us; and
  • you have complied with the relevant requirements of data protection law to enable that disclosure.

9. Who we share personal information with

We may share personal information where necessary for the purposes described above, including with:

  • our group companies, trading brands and offices where relevant to delivering services and operating the business;
  • professional advisers such as lawyers, auditors, insurers and consultants;
  • technology and service providers who support our business operations, such as hosting, IT support, communications, document management, e-signature, practice management, workflow, portal, security, analytics and AI-assisted software providers;
  • banks, payment service providers and finance partners where relevant to payments or services;
  • identity verification, screening and due diligence providers;
  • regulators, supervisory bodies, government agencies and law enforcement where required or permitted, including HMRC, Companies House and other authorities; and
  • third parties involved in an engagement where you ask us to or where it is necessary, such as lenders, brokers, counterparties or other advisers.

We may also disclose personal information where reasonably necessary in connection with a proposed or actual sale, acquisition, merger, investment, financing, restructuring or transfer of all or part of our business, provided appropriate confidentiality and legal protections are in place.

Where service providers process personal information for us, we require them to protect it and use it only for the services they provide to us, unless they act as an independent controller in their own right.

10. International transfers

Some of our team members, group operations or service providers may involve processing personal information outside the UK. This can include support teams, cloud platforms, software providers and other service providers located in, or accessing data from, other countries.

Where we transfer personal information internationally, we use the safeguards required by UK law, such as adequacy regulations where available, or approved contractual safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.

You can ask us for more information about the safeguards we use by contacting us using the details above.

11. Cloud systems, software providers and AI-assisted tools

We use modern systems and tools to deliver our services efficiently and securely. That can include cloud software, workflow platforms, communications tools, portals, analytics, search tools and AI-assisted tools.

Where we use AI-assisted tools, we do so subject to confidentiality, security controls, professional oversight and legal safeguards. We do not use client confidential information to train public or open AI models unless we specifically tell you and have a lawful basis to do so.

The use of these tools does not change our professional responsibilities to you.

12. Security

We use technical and organisational measures designed to protect personal information against unauthorised access, loss, misuse, alteration or disclosure. These include access controls, encryption where appropriate, security monitoring, contractual controls with service providers, and staff training. No system is completely secure, but we work to maintain appropriate safeguards for a professional services firm.

13. How long we keep personal information

We keep personal information for as long as necessary for the purposes described in this notice. Retention periods vary depending on the type of information, the services provided, and legal or regulatory requirements.

For example, anti-money laundering laws require us to keep certain customer due diligence records for a minimum period after the end of a business relationship or completion of a transaction. We may also retain information where needed to establish, exercise or defend legal claims, to meet professional standards, or to resolve disputes. When retention periods end, we securely delete or anonymise the information.

14. Your rights

Under UK data protection law, you may have the following rights, subject to legal conditions and exemptions:

  • the right to be informed about how we use your personal information;
  • the right of access to a copy of the personal information we hold about you;
  • the right to rectification of inaccurate or incomplete information;
  • the right to erasure in certain circumstances;
  • the right to restrict processing in certain circumstances;
  • the right to data portability in certain circumstances where processing is based on consent or contract;
  • the right to object to processing based on legitimate interests, including an absolute right to object to direct marketing;
  • the right to withdraw consent at any time where we rely on consent; and
  • rights related to automated decision-making and profiling.

To exercise your rights, please contact us using the details above. We may need to verify your identity before responding.

15. Marketing choices

You can opt out of direct marketing at any time. Where we send electronic marketing, such as email or SMS, we do so in line with PECR. You can use the unsubscribe link in emails, follow the opt-out instructions in messages, or contact us directly. Opting out will not affect service communications we need to send you about an engagement, account or legal or regulatory issue.

16. Cookies and similar technologies

Our websites and digital services may use cookies and similar technologies to operate, remember your preferences, understand how visitors use our services, improve performance and support security. Some cookies are essential and others require consent. Please see our Cookie Policy for more detail.

Current cookie policy link: https://ascendantaccountants.com/legal-information/cookies-policy/

17. Complaints

We take privacy concerns seriously. If you have a complaint about how we use your personal information, please contact us first and we will investigate and respond.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection.

18. Changes to this notice

We may update this notice from time to time to reflect changes in law, guidance, our services, or how we use personal information. The latest version will be published on the relevant Ascendant website. Where appropriate, we may notify you of material changes.